Recently I have been looking into the vulnerabilities in the TLS negotiation process discovered late last year.

There are a range of experts debating the exploit methods, tools and how it may be fixed (server or client site or both). From what I have seen so far this may prompt a change to the TLS standard to introduce an extension to the protocol to validate sessions (session hand off and certificate validity).

I have a Iphone and have been loading Ham applications onto it… Below is a list of some of them.

Amateur Radio Exam Prep for iPhone – Amateur Radio License exams are composed of questions from a pool. Use this application to practice all possible questions prior to taking your exam

CallBook for iPhone– CallBook is an Amateur Radio application that allows you to look up call signs via the free WM7D server, the QRZ Online subscription service or the HamCall subscription server and track active APRS stations on www.aprs.fi. Lookup results can be emailed and the QTH can be instantly viewed in the Maps application

FreqLoader: iPhone companion for the mobile ham– FreqLoader is the perfect iPhone/iPod Touch companion for amateur radio operators, monitoring enthusiasts, shortwave listeners and anyone with an interest in the air waves. Whether you’re an active licensed ham or an avid scanner listener, FreqLoader will allow you to find what you’re looking for, keep track of your stations, maintain complete logs and share your finds with friends, groups and the world.

iLocator for iPhone – A small application for Apple iPhone that calculate grid locator from gps, wifi or gsm cells by IW2BSQ

iPhone Ham Radio Callsign Lookup– This webapp provides an iPhone-compatible lookup of Amateur Radio Callsigns. It provides the name, address, and license class (from the FCCÃ¢â‚¬â„¢s public records) of any US-Licensed Amateur Radio Operator.

A few years back, some friends and I were messing around with a Taco Bellâ€™s drive-thru frequencies. RijilV and isotek showed me how easy it was to hijack the frequencies of just about any fast food restaurant with a very simple mod to a ham radio. The radios they used were Yaesu VX-5 and VX-7 models. We had a few weeks of occasional fun, sitting a few parking lots away and saying all kinds of horrible things to potential fast food customers. For the most part, I didnâ€™t record any of it. But you can find a few clips of our fast food hijinks if you scroll down on the PLA Sound Clips Archive page.

Finally we decided to capture a bit of our FCC violations on video. But instead of capturing actual customers being harassed by us as they placed an order, I drove through the Taco Bell drive-thru myself with a video camera sitting on the dashboard. As I attempted to place my order, RijilV informed me of some crazy new Taco Bell policies and a manager immediately rushed out to explain to me that I wasnâ€™t actually talking to an employee. Here is that video:

After spending several years on Google Video and YouTube, itâ€™s been watched approximately 20,000 times. And of those 20,000 people who have viewed it, approximately all of them have emailed me and asked me what kind of radio we used and how can they use a radio to do the same thing. So in the spirit of April 1st and in order to quell the number of emails sent to me and posts on the PLA Forums asking the same thing, Iâ€™ve decided to write this tutorial to help those people out.

But Iâ€™m not going to explain how to modify a Yaesu VX5 or a Yaesu VX7. A simple Googlesearch will show you how to modify these ham radios. The problem with these mods is that, even though theyâ€™re fairly simple, you have to buy the radios which could cost you anywhere from $200 – $400. Then, after removing a couple solder points, you have to learn how to use it, you have to look up fast food frequency lists, you have to understand the difference between the transmit frequencies and the receive frequencies and you have to scroll through PL tones using trial and error to find the correct one.

Or how about we do this a different way. A way that uses a couple items that you might already have in your home. You can easily modify most old CB radios in a way that will allow them to transmit directly to drive-thru frequencies. You wonâ€™t have to scroll through hundreds of possible drive-thru frequencies, because a CB radioâ€™s channels line up in exactly the same way as most drive-thruâ€™s channels, only at a higher frequency. How do you get your CB radio to run at a higher frequency? A simple replacement of the crystal inside, with a 6.5536 MHz crystal. This triples the megahertz that are broadcast on and there is no learning required. You just take the modified CB radio to a fast food restaurant and start broadcasting to the customers.

â€œBut RBCP, I donâ€™t have a 6.5536 MHz crystal lying around my house,â€ you might be whining at this point. But this isnâ€™t true. Just about any house has several 6.5536 MHz crystals in them if you know where to look. This just happens to be the exact same crystal that you can find in electric heaters, hair dryers, electric stoves, curling irons, electric hot water heaters, irons, and toasters. These crystals are in just about any item that has heated coils and are used to control the frequency of the heating elements so that they donâ€™t burn your house down.

So for this modification you needâ€¦

1 CB radio. It has to be a 40 channel CB radio with a digital display, which includes just about any CB radio manufactured after the mid 1980â€™s. The old 23 channel CBs from the 1970â€™s will not work. It can even be a walkie talkie CB radio. If you donâ€™t have one, you can find one at Goodwill or a yard sale for probably less than $10.

1 toaster. (Or other item with heating elements inside.) A toaster is the most ideal to use, because itâ€™s almost guaranteed to have the crystal inside of it. Itâ€™s more common to find curling irons and hair dryers that donâ€™t. Again, it should be a toaster manufactured within the past 20 years or so. Before that they didnâ€™t have crystal requirements for toaster manufacturers. (And incidentally, there were a lot more electrical house fires back then.) Goodwill will probably have a toaster for less than $10.

1 soldering iron and solder. Donâ€™t worry if you donâ€™t have soldering experience. Itâ€™s actually pretty easy. Click here for a soldering tutorial. You can purchase a soldering iron at Radio Shack or Sears for about $10.

A few screwdrivers

Even if you have to buy all these materials, youâ€™re only out $30. Thatâ€™s a lot better than the $300 you might end up spending on a Yaesu radio. And some of you might already have all these items so you donâ€™t have to pay anything. Ask a friend or a relative if theyâ€™ve got an old toaster or CB radio lying around that they donâ€™t need.

First youâ€™ll want to take apart your toaster. This isnâ€™t too hard. Just flip it upside down and start removing the screws. Youâ€™ll probably need to pull off the plastic lever and knobs before you remove the top of the toaster. Once you have the top off, youâ€™ll see a green or brown circuit board inside.

Flip the circuit board down and youâ€™ll see all the components on the other side, including the 6.5536 MHz crystal. The crystal is silver and will have 6.5 stamped on the side of it. In the picture below, Iâ€™ve used an arrow to show you where itâ€™s located.

The crystal is likely in a different spot in other toasters, but itâ€™s hard to mistake for any other electronic component. The crystal will have some form of 6.5 stamped on the side of it. In my toaster, it showed 6.55-12. While the official frequency needed is 6.5536 MHz, anything within 1.6 megahertz will work. So donâ€™t worry if your crystal just says 6.5 or 6.50 – itâ€™s all the same for our purposes.

Itâ€™s kind of hard to see what Iâ€™m doing in the picture above, but Iâ€™m heating up the leads on the crystal from underneath with my soldering iron to melt the solder, and Iâ€™m pulling on the crystal from above with a pair of needle nose pliers. It only takes a few seconds to get the crystal out of the toaster.

Now that the crystal is out of your toaster, throw your toaster away! Do not attempt to use it once the crystal is removed. Remember, the crystal is in there for safety and using your toaster without the crystal could burn your toast and/or start a kitchen fire. Itâ€™s likely your toaster wonâ€™t even turn on with the missing crystal, but please donâ€™t even try. Just throw it away.

As I mentioned before, just about any brand and model of CB radio will work, as long as it has the digital display on it. Which means, just about any CB radio manufactured after the mid 1980â€™s. These are the kinds of CB radios whose frequencies are controlled by a single crystal inside of them. For my mod, I used a Radio Shack TRC-207 walkie talkie CB radio, which is pictured above. I prefer using a walkie talkie CB radio because it doesnâ€™t requiring sticking a huge CB antenna on the roof of my car which might be noticed if a fast food employee starts looking around the parking lot for the culprits.

Taking apart your CB radio is just as easy as taking apart the toaster. Remove the screws and pop it open. You may or may not have to lift up the circuit board inside to find the crystal inside. In my particular model, the crystal actually plugged into a socket so I didnâ€™t need to even desolder the old crystal. I just pulled it out with my fingers and then plugged in the new 6.55 MHz crystal. I donâ€™t know how common this is, because in other CB radios that Iâ€™ve modified the crystal was soldered to the circuit board, just like in the toaster.

Put your CB back together and test it to make sure itâ€™s working. Youâ€™re finished! Obviously, you wonâ€™t be able to talk on normal CB channels anymore since your CB is transmitting and receiving at a much higher frequency now. But who cares, CB channels are lame anyway. Letâ€™s hop in the car and drive to our nearest fast food establishment to test it out.

Sit near the drive-thru and wait for a customer to pull up. While the customer is talking to the drive-thru speaker, start flipping through your channels until you hear them talking. Iâ€™ve found that most drive thrus end up being somewhere in the 16 – 25 channel range. Iâ€™ve never found one above channel 30 and only a few on channels 1 through 15. It all depends on how their drive-thru is set up and what frequencies theyâ€™re using. Anyway, push down your talk button and start talking to the customer.

The cool thing about using a CB radio to transmit on drive-thru frequencies is that a CB is designed to work for several miles. The headsets that those fast food people wear are only designed to work for about 100 feet. So you can easily overpower the employees, even if youâ€™re several parking lots away. In fact, you may be inadvertently screwing with several other drive-thrus in town without even knowing it. This is more likely when youâ€™re using the kind of CB radio thatâ€™s supposed to be installed in a car. Those usually run on 5 watts and can cover an entire city. This is another reason I like to use my walkie talkie. Itâ€™s lucky if it will work for even a mile, so Iâ€™m only harassing one restaurant at a time.

If you found this tutorial useful, you might also enjoy the video Iâ€™ve made on the same subject. It includes much of the same information in this tutorial, but also includes actual footage of us messing with a drive-thru with this CB mod. Enjoy!

I’m looking at the Microsoft OCS server and other SIP integration environments. So I thought I would put the links here for others who were interested. I am also considering the issues associated with Mitel VoIP and OCS integration.

It would be interesting if the Microsoft OCS could seamlessly allow the use of soft phones and the Mitel VoIP system. I assume a trunk needs to be setup between the two… Anyway something to look at.

Many don’t lock accounts after X failed logins, this is normally done for good customer service, but leaves the system vulnerable.

– And all the other things expected for a remote login session (forced password changes, aging, etc)) – Tools such as Brutus may be use to brute force hack authenticated sessions.

Many allow session sequence numbers to be incremented, allowing an authenticated user to view other customer session.

– These may be server side, client side, cookie based, etc. – Get someone to check the development methodologies and the code being used. – Database query strings can be placed into test entry fields, allowing table dumps to browser. – Check all pages served are secure and contain user authentication flags.

Customer data may not be segregated, this needs to be checked.

Customer data should not reside on the Web Server.

Authentication databases / system data should not reside on the webserver.

The databases should reside on a private/semi-private network.

– A different segment to the main banking system.

Webserver should be dual homed or equivalent (some VLAN techniques are good)

At all data segregation points ensure rules are in place which appreciates the traffic though that point.

All customer data where possible should be sourced from a secure back-end database.

– This may be a staging environment. i.e. no the main banking system. – This usually allows for transactions to appear real time to the customer. – Many transactions may be batched in reality. (internal or external to the bank)

Ensure suitable rules have been set-up on firewalls.

– There should be inbound and outbound rules on firewalls and filtering routers.

Don’t allow any infrastructure on the front end to allow remote administrative connections. (telnet, etc.)

– Use the serial console port to connect to a server or back-end terminal server.

Look for the segregation / staging of online customer content from main banking systems

Ensure that a separate development / QA / production environment system and suitable process is in place.

Services not used by the system are active

– These should be disabled.

Port scan of the supporting infrastructure (routers /switches) and server(s).

Is additional authentication used between sections of the services once authenticated?

Consider what the customer has access to once authenticated.

– Look at SWIFT, RTGS, inter-bank transfers, access to credit cards, etc. – If an attacker does get in, what can the do?

Use techniques to ensure pages, customer details are not cached at ISP, or client system.

– These are flags that can be set within pages. – Normally SSL is cached, but some proxy vendors have been playing with techniques to do so. – Caching of SSL pages on the client system can be turned on on some browsers. – May banks use a Java (or similar) applet for all customer interaction, restricting all caching issues.

Ensure paper based and on-line liability clauses are available are address all effected areas.

Ensure within the customer sign-up process banking liability is reduced.

– I’ve seen statements like “use this system at your own risk, responsibility for any liability or claim will NOT……” – Not very customer focused, but that’s what their legal department recommended.

All of the above can effect the security and/or operation of an on-line banking system.

Other things to consider:

External development and support of the application.

Ownership and management of the hardware/applications

Publishing points for new content (internal/private/trusted network or Internet)

Topology of front end.Â i.e. Security Architecture document should be in place and managed appropriately.

Are limited AP tests performed whenever changes are made to the environment? i.e. integrated AP into Change management process.

Database access. Is it buffered or is it live to the core banking systems.

What other services are shared within the network segment that the Internet Banking service is running. Can this be used to compromise the Internet Banking site. eg. different support/business/development organisations with differing security strategies/profiles.

Consider all external supporting services within you AP. Look at internal/external DNS poisoning opportunities, mail relay, etc. What IPS’s do they use has the ISP any opportunity to access systems or supporting services which may affect Internet Banking.

Depending on the size of the Bank, many organisation do not use the same support groups for infrastructure and the application. As a result external connections to the infrastructure may be provided for an external support organisation to administer the infrastructure.

Look at the business and user authentication methods and paths (client side certs, secure ID, SMART Card, etc). Consider two factor authentication and modern user identification methods. eg. what is your favourite food in addition to normal usernames and passwords. Do system administration staff use dynamic passwords (secureID, etc)?

See if the Internet Banking application sends email to users which may contain interesting information.

Better access to the application can generally be gained after access to the system. i.e. get an legitimate account on the system. I have found that some sample/administration screens have been restricted to authenticated users only.

Consider social engineering the Help desk to have an account password reset.

3. Configure Interface Config-if# ip address 192.3.5.5 255.255.255.0 Config-if# no shutdown Config-if# encapsulation ppp Config-if# dialer-group 1 – applies dialer-list to this interface Config-if# dialer map ip 192.3.5.6 name Lab-b 5551212 connect to lab-b at 5551212 with ip 192.3.5.6 if there is interesting traffic can also use “dialer string 5551212” instead if there is only one router to connect to

5. Other Options Config-if# hold-queue 75 – queue 75 packets before dialing Config-if# dialer load-threshold 125 either -load needed before second line is brought up -“125” is any number 1-255, where % load is x/255 (ie 125/255 is about 50%) -can check by in, out, or either

Config-if# dialer idle-timeout 180 -determines how long to stay idle before terminating the session -default is 120

Step 5 Router(config-route-map)# match ip address prefix-list ROUTE – Specifies the aggregate route to which a more specific route will be injected.

Step 6 Router(config-route-map# match ip route-source prefix-list ROUTE_SOURCE – Configures the prefix list named ROUTE_SOURCE to redistribute the source of the route. Note The route source is the neighbor address that is configured with the neighbor remote-as command. The tracked prefix must come from this neighbor in order for conditional route injection to occur.

Step 7 (dhcp-config)#lease 7 – Specify the lease duration for the addresses you’re using from the pool.

Step 8 (dhcp-config)#exit – Exit Pool Configuration Mode.

This takes you back to the global configuration prompt.

Next, exclude any addresses in the pool range that you don’t want to hand out.

For example, let’s say that you’ve decided that all IP addresses up to .100 will be for static IP devices such as servers and printers. All IP addresses above .100 will be available in the pool for DHCP clients.

Telnet sends all data including passwords in clear text which can be intercepted.

SSH encrypts all data preventing an attacker from intercepting it.

Setting up a local user/password login database for use with telnet:

configure terminal

line vty 0 4

login local

exit

username telnetuser1 password secretpass

To set up SSH you need to create the local user database, the domain name must be specified with the ip domain-name command and a crypto key must be created with the crypto key generate rsa command. To enable SSH on the VTY lines, use the command transport input ssh.

If you connect two Cisco switches together and the lights donâ€™t go amber then green, but instead stays off. A straight through cable has been used instead of a crossover cable.

The term â€˜a switches management interfaceâ€™ normally refers to VLAN1.

Assign a default gateway using the ip default-gateway ipaddress command.

You can use the command interface range fasterthernet 0/1 â€“ 12 to select a range of interfaces to configure at once.

MOTD banner appears before login prompt.

The login banner appears before the login prompt but after the MOTD banner.

The banner exec appears after a successful logon.

line con 0 â€“ configuring the logging synchronous on the console port stops the router from displaying messages (like an interface state change) until it detects no input from the keyboard and not other output from the router, such as a show commands output.

On media that supports multicasts at the data link layer, CDP uses multicast frames. on other media, CDP sends a copy of the CDP update to any known data-link addresses.

The show cdp command shows CDP settings.

CDP can be disabled globally using the command no cdp run and re-enable using cdp run.

CDP can be disabled at an interface level using the no cdp enable command at the sub-interface level.

The command show cdp neighbor – lists one summary line of information about each neighbor. Including:

Device ID â€“ the remote devices hostname.

Local Interface â€“ the local switch/router interface connected to the remote host.

Holdtime â€“ is the number of seconds the local device will retain the contents of the last CDP advertisement received from the remote host.

Capability â€“ shows you the type of device the remote host is.

Platform â€“ is the remote devices hardware platform.

Port ID â€“ is the remote interface on the direct connection.

The command show cdp neighbor detail â€“ lists one large set (approx 15 lines) of information, one set for every neighbor. Including:

The IOS version.

VTP management domain.

Management addresses.

show cdp entry name – lists the same information as the show cdp neighbors detail command, but only for the named neighbor (case sensitive).

show cdp â€“ states whether CDP is enabled globally, and lists the default update and holdtime timers.

show cdp traffic â€“ lists global statistics for the number of CDP advertisements sent and received.

show cdp interfacetype number – states whether CDP is enabled on each interface or a single interface if the interface is listed, and states the update and holdtime timers on those interfaces.

CDP should be disabled on interfaces it is not needed to limit risk of an attacker learning details about each switch or router. Use the no cdp enable interface subcommand to disable CDP and the cdp enable interface subcommand to re-enable it.

The command show cdp interface shows the CDP settings for every interface.

Interface status messages:

Interface status is down/down â€“ this indicates a physical problem, most likely a loose or unplugged cable.

Line protocol is down, up/down â€“ this indicates a problem at the logical level, most likely an encapsulation mismatch or a missing clock rate.

Administratively down â€“ this indicates the interface has been shutdown and needs to be manually opened with the sub interface command no shutdown.

Most problems on a switch are caused by human error â€“ misconfiguration.

The command show debugging shows all the currently running debugs.

undebug all â€“ will turn all debugging off.

The command show vlan brief shows a switches VLAN configuration.

If pinging 127.0.0.1 fails on a pc, there is a problem with the local PC, most likely a bad install of TCP/IP.

On a pc the command netstat -rn shows the pcâ€™s routing table.

Additional Telnet commands:

show sessions shows information about each telnet session, the where command does the same thing.

resume x, x being the session number is used to resume a telnet session.

To suspend a session use the command CTRL+ALT+6.

To disconnect an open session use the command disconnect x, x being the session number.

Ping result codes:

!!!!! â€“ IP connectivity to the destination is ok.

â€¦.. â€“ IP connectivity to the destination does not exist.

U.U.U â€“ the local router has a route to the destination, but a downstream router does not.

debug ip packet â€“ can help troubleshooting the above ping results.

When using traceroute or extended ping the Escape Sequence is: CTRL+SHIFT+6.

Extended ping can only be run from enable mode.

If a routing table contains multiple routes to the same destination with multiple next hops and the prefixes are different, the most specific (longest) prefix route will be used. If all of the prefix lengths are the same the Administrative Distance will be used. [AD/Metric].

Administrative Distance is a measure of a routes believability, with a lower AD being more believable than a route with a higher AD. AD only comes into play if the prefix lengths are the same.

You can set the Administrative Distance on a static route with the command ip route 55.55.55.0 255.255.255.0192.168.1.2 150, you would do this to set a backup route if a dynamic route fails/is not available in the routing table.